API Overview & Authentication
QuantaPay provides a simple REST-like API for creating payments, querying transactions, and managing your account programmatically.
QuantaPay provides a simple REST-like API for creating payments, querying transactions, and managing your account programmatically.
Endpoint
All API requests are sent to a single endpoint:
POST https://cloud.quantapay.app/api.phpContent Type
Requests use application/x-www-form-urlencoded (standard HTML form encoding).
curl -X POST https://cloud.quantapay.app/api.php \
-d "function=get-balances" \
-d "api-key=YOUR_API_KEY"Authentication
Every API request must include your API Key as a POST parameter.
| Parameter | Type | Required | Description |
|---|---|---|---|
api-key | string | Yes | Your API key. Found in Settings → Account. |
function | string | Yes | The API function name to call. |
Getting Your API Key
- Log in to cloud.quantapay.app
- Go to Settings → Account
- Copy your API Key
Security: Keep your API key secret. Do not expose it in client-side code or public repositories.
HMAC Signature (Optional)
For create-checkout-session, you can add HMAC-SHA256 signature verification to prevent request tampering.
How It Works
- Construct the sign data string:
{price}|{currency}|{order_id}|{timestamp} - Generate HMAC-SHA256 using your Webhook Secret Key as the secret
- Include
signatureandtimestampin your request
Example (PHP)
$webhook_secret = 'your-webhook-secret-key';
$price = '49.99';
$currency = 'usd';
$order_id = 'ORD-12345';
$timestamp = time();
$sign_data = $price . '|' . $currency . '|' . $order_id . '|' . $timestamp;
$signature = hash_hmac('sha256', $sign_data, $webhook_secret);
// Include in your API request:
// signature={$signature}×tamp={$timestamp}Example (Node.js)
const crypto = require('crypto');
const webhookSecret = 'your-webhook-secret-key';
const price = '49.99';
const currency = 'usd';
const orderId = 'ORD-12345';
const timestamp = Math.floor(Date.now() / 1000);
const signData = `${price}|${currency}|${orderId}|${timestamp}`;
const signature = crypto.createHmac('sha256', webhookSecret).update(signData).digest('hex');Note: The timestamp must be within 5 minutes of the server time, or the request will be rejected with "Request expired".
Response Format
Success
{
"success": true,
"response": { ... }
}Error
{
"success": false,
"error_code": "error-code-slug",
"message": "Human-readable error description"
}Error Codes
| Error Code | Description |
|---|---|
missing-function-name | The function parameter was not included in the request. |
function-not-found | The specified function name does not exist. |
api-key-not-found | The api-key parameter was not included. |
invalid-api-key | The provided API key is incorrect. |
missing-argument | A required parameter is missing for the specified function. |
Rate Limits
There are no strict rate limits, but excessive requests may be throttled. For typical usage (< 100 requests/minute), no throttling will occur.